Establish Site-to-Site VPN Connection using Digital...
14
November 2015 Page 1 of 14 Workflow Guide Establish Site-to-Site VPN Connection using Digital Certificates For Customers with Sophos Firewall Document Date: November 2015
Transcript of Establish Site-to-Site VPN Connection using Digital...
November 2015 Page 1 of 14
Workflow Guide Establish Site-to-Site VPN Connection using Digital Certificates For Customers with Sophos Firewall
Document Date: November 2015
Establish Site-to-Site VPN Connection using Digital Certificates
November 2015 Page 2 of 14
Contents
Overview .......................................................................................................................................... 3
Prerequisites ................................................................................................................................... 3
Scenario ........................................................................................................................................... 3
Configuration .................................................................................................................................. 4 Step 1: Upload HO Sophos Firewall’s Default CA to BO Sophos Firewall (SF) ..............................................4
Head Office .............................................................................................................................................................4 Branch Office ..........................................................................................................................................................5
Step 2: Upload BO Sophos Firewall’s Default CA to HO Sophos Firewall .......................................................6 Step 3: Upload HO Sophos Firewall’s Digital Certificate to BO Sophos Firewall ............................................6
Head Office .............................................................................................................................................................6 Branch Office ..........................................................................................................................................................7
Step 4: Upload BO Sophos Firewall’s Digital Certificate to HO Sophos Firewall ............................................8 Step 5: Configure IPsec Connection .......................................................................................................................8
Head office ..............................................................................................................................................................8 Branch Office ....................................................................................................................................................... 11
Establish Site-to-Site VPN Connection using Digital Certificates
November 2015 Page 3 of 14
Overview
A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure (PKI). A digital certificate may also be referred to as a public key certificate.
Just like a passport, a digital certificate provides identifying information, is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
Prerequisites
Exchange Certificate Authority (CA) and Digital Certificates between a Head Office (HO) and Branch Office (BO) and, then, configure and establish an IPsec connection between them.
Scenario
Configure a site-to-site IPsec VPN connection between Site A and Site B by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
Network Parameters
HO Network details
Local WAN IP address – 10.206.1.173
Local LAN address –172.17.17.0/24
BO Network details Remote WAN IP address – 10.206.1.213
Remote LAN Network –172.16.16.0/24
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 4 of 14
Configuration
You must be logged on to the Admin Console of both HO and BO SF as an administrator with Read-Write permission for relevant feature(s).
Step 1: Upload HO Sophos Firewall’s Default CA to BO Sophos Firewall (SF)
Head Office
Go to Objects > Identity > Certificate Authority or System > VPN > Certificate Authority and select Default CA. Specify the details of the CA, as shown below.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 5 of 14
Once CA is generated, download the CA to your local computer by clicking the Download Icon against it.
A file named local_certificate_authority.tar.gz is downloaded. Store and uncompress the file. The file contains the CA Root Certificate in Two (2) Formats:
- Default.pem (PEM File)
- Default.der (Security Certificate)
Branch Office
Upload the CA Certificates (downloaded from HO) to BO SF. To upload CA, go to Objects > Identity > Certificate Authority or System > VPN > Certificate Authority and click Add. Upload the CA Root Certificate in either PEM or DER format.
Click OK to save the HO Default CA in BO Sophos Firewall.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 6 of 14
Step 2: Upload BO Sophos Firewall’s Default CA to HO Sophos Firewall
Configure and download the Default CA in BO SF and upload it on HO SF using similar steps as shown in step 1.
Step 3: Upload HO Sophos Firewall’s Digital Certificate to BO Sophos Firewall
Head Office
Create a Self-Signed Certificate in HO SF. Go to Objects > Identity > Certificate or System > VPN > Certificate and click Add to create a new certificate. Select Generate Self Signed Certificate and specify the details as shown below.
Click Save to save certificate.
Once Certificate is generated, download it to your local computer by clicking the Download Icon against it.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 7 of 14
A file named HO_Certificate.tar.gz is downloaded. Store and uncompress the file. The file contains the following certificate files:
- UserPrivateKey.key (KEY File)
- UserCertificate.pem (PEM File)
- RootCertificate (PEM File)
- Password.txt (Passphrase if Key Encryption is enabled)
- HO_Certificate.p12 (Personal Information Exchange)
Branch Office
Upload the Certificate (downloaded from HO Sophos Firewall) to BO Sophos Firewall. To upload certificate, go to Objects > Identity > Certificate or System > VPN > Certificate and click Add. Select Certificate as UserCertificate.pem, Private Key as UserPrivateKey.pem and specify the Passphrase.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 8 of 14
Click Save to save the certificate.
Step 4: Upload BO Sophos Firewall’s Digital Certificate to HO Sophos Firewall
Configure and download the Self-signed certificate in BO SF and upload it on HO SF using similar steps as shown in step 3.
Step 5: Configure IPsec Connection
Head office
Implement the following steps on HO Sophos Firewall.
1. To create a new IPsec connection, go to System > VPN > IPsec and click Add. Create the connection
using the following parameters.
Parameters Value Description
General Settings
Name HO_to_BO_IPsec Specify a unique name to identify IPsec Connection.
Connection Type SitetoSite Select SitetoSite.
Policy DefaultHeadOffice Select policy to be used for connection.
Policy can also be added by clicking “Create New” link.
Action on VPN Restart
Respond Only
Select the Action to be taken on the connection when VPN services or Device restarts.
Available Options
- Respond Only: Keeps connection ready to respond to any incoming request.
- Initiate: Activates connection on system/service start so that the connection can be established whenever required.
- Disable: Keeps connection disabled till the user activates.
Authentication Details
Authentication Type Digital Certificate Select Authentication Type. Authentication of user depends on the type of connection.
Local Certificate HOCertificate Select the local certificate that should be used for authentication by the device.
Remote Certificate BOCertificate Select the remote certificate that should be used for authentication by remote peer.
Endpoint Details
Local PortB-10.206.1.173 Select Local WAN port from the list. IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 9 of 14
Remote 10.206.1.213
Specify an IP Address or domain name of the remote peer.
Click Add icon against the option “Remote” to add new endpoint pairs or
click Remove icon to remove the endpoint pairs.
Network Details
IP Family IPv4
Select IP family to configure IPsec VPN tunnels with mixed IP families. Available Options: - IPv4 - IPv6 By default, IPv4 will be selected. Four types of IPsec VPN tunnels can be created: 4 in 4 (IPv4 subnets with IPv4 gateway) 6 in 6 (IPv6 subnets with IPv6 gateway) 4 in 6 (IPv4 subnets with IPv6 gateway) 6 in 4 (IPv6 subnets with IPv4 gateway)
Local Subnet 172.17.17.0/24 Select Local LAN Address of Site A. Add and Remove LAN Address using Add Button and Remove Button.
Remote LAN Network
172.16.16.0/24
Select IP Addresses and netmask of remote network in Site B which is allowed to connect to the Device server through VPN tunnel. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 10 of 14
2. Click Save to create IPsec connection. On clicking Save, the following screen is displayed showing the
connection created above.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 11 of 14
3. Click under Status (Active) to activate the connection.
Branch Office
Implement the following steps on BO Sophos Firewall
1. To create a new IPsec connection, go to System >VPN > IPsec and click Add. Create the connection using the following parameters.
Parameters Value Description
General Settings
Name BO_to_HO_IPSec Specify a unique name to identify IPsec Connection.
Connection Type SitetoSite Select SitetoSite.
Policy DefaultBranchOffice Select policy to be used for connection.
Policy can also be added by clicking “Create New” link.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 12 of 14
Action on VPN Restart
Initiate
Select the Action to be taken on the connection when VPN services or Device restarts.
Available Options
- Respond Only: Keeps connection ready to respond to any incoming request.
- Initiate: Activates connection on system/service start so that the connection can be established whenever required.
- Disable: Keeps connection disabled till the user activates.
Authentication Details
Authentication Type Digital Certificate Select Authentication Type. Authentication of user depends on the type of connection.
Local Certificate BOCertificate Select the local certificate that should be used for authentication by the device.
Remote Certificate HOCertificate Select the remote certificate that should be used for authentication by remote peer.
Endpoint Details
Local PortB-10.206.1.213 Select Local WAN port from the list. IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote 10.206.1.173
Specify an IP Address or domain name of the remote peer.
Click Add icon against the option “Remote” to add new endpoint pairs or
click Remove icon to remove the endpoint pairs.
Network Details
IP Family IPv4
Select IP family to configure IPsec VPN tunnels with mixed IP families. Available Options: - IPv4 - IPv6 By default, IPv4 will be selected. Four types of IPsec VPN tunnels can be created: 4 in 4 (IPv4 subnets with IPv4 gateway) 6 in 6 (IPv6 subnets with IPv6 gateway) 4 in 6 (IPv4 subnets with IPv6 gateway) 6 in 4 (IPv6 subnets with IPv4 gateway)
Local Subnet 172.16.16.0/24 Select Local LAN Address of Site B. Add and Remove LAN Address using Add Button and Remove Button.
Remote LAN Network
172.17.17.0/24
Select IP Addresses and netmask of remote network in Site A which is allowed to connect to the Device server through VPN tunnel. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 13 of 14
4. Click Save to create IPsec connection. On clicking Save, the following screen is displayed showing the
connection created above.
Establish Site-to-Site IPsec Connection using Digital Certificates
November 2015 Page 14 of 14
Click under Status (Active) and Status (Connection).
The above configuration establishes an IPsec connection between Two (2) sites.
Note:
Make sure that Security Policies that allow LAN to VPN and VPN to LAN traffic are configured.
In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and
Head Office acts as a responder due to following reasons:
Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the
connection.
As there can be many Branch Offices, to reduce the load on Head Office it is a good practise that
Branch Offices retries the connection instead of the Head Office retrying all the branch office
connections.
Document Version: 1.0 – 6 November, 2015
